The widespread connectivity and data sharing capabilities of Internet of Things (IoT) technology is leading to a swift uptake in interest at an enterprise level, with this shift showing no sign of abating anytime soon. IDC’s Worldwide IoT Forecast report found that spending on the technology will reach an estimated £1.7tn by 2020, with the lion’s share of spending being done by the enterprise.
As the technology becomes increasingly widespread, the spotlight will rightly be shone upon security. The Cloud Security Alliance recently released security guidance for early adopters and this is a clear first step toward regulating the way smart devices interact with each other across the internet. However, we’re still a long way from making these standards mandatory and holding manufacturers or network administrators accountable for not adhering to them.
Managing the risks to enterprise data
One of the most prominent areas of concern with regards to the IoT is privacy, with the risk that connected devices have the capability to illegally spy on users. With more devices becoming IP-enabled, an attacker could use software vulnerabilities to track the activities of both devices and their users. It will therefore become a sizeable challenge to manage all of these once connected to networks.
Companies and IT administrators need to be aware of the risks to enterprise data, particularly as wearable technology transitions to office networks. Built-in network capabilities make any device a potential backdoor into enterprise networks, aiding in data exfiltration or even denial of service attacks.
There are currently no standardised APIs that allow IT administrators to tap into and regulate the amount of traffic these devices flood networks with. These machine-to-machine devices are low-energy; as such, they change the way we look at network traffic by only broadcasting intermittent bursts of data. This could pose significant issues with regards to how IT administrators analyse traffic patterns.
How likely is an attack on the IoT?
Although there are currently no reports of in-the-wild attacks, in-lab simulations have proven that many IP-enabled devices could be vulnerable if targeted by cybercriminals.
In the event that an IoT infrastructure is hacked due to a vulnerability in one of these IP-enabled devices, a company may be subject to persistent and covert infiltration that may cause critical data exfiltration and even financial losses. Keeping in mind that future IoT devices will behave just like any other network-connected appliance, without proper security mechanisms, policies and network filtering capabilities in place, they could become beachheads for cybercriminal attacks.
Remaining secure while utilising the IoT
Network segregation is one of the first and most basic security steps that organisations should take, especially when dealing with BYOD (bring your own device) or BYOW (bring your own wearable). This will allow devices to have limited or no access to sensitive company resources, in turn significantly reducing the attack surface.
Early IoT adopters must make efforts to safeguard their organisations from attack. Just as with any new network-connected devices, users should first look to change the default credentials. It is common for attackers to brute-force their way into them by using default user names and passwords such as “admin” or “password” to gain remote control.
Although manufacturers are not always quick to push security updates for known vulnerabilities, once they are available users should immediately install them. Cybercriminals often infect systems by targeting outdated software – so whether it is a laptop or a smart device, security updates must be installed with the same diligence by users.
Image source: Shutterstock